July 27, 2013
Updated 08-01-2013 – See below
Heads up!
It seems that the ebaY community forums are under a spam attack, and their new forum moderation / social media service Lithium is asleep at the wheel! Same ol’ same ol! Who could imagine?
Here’s a look at the …
March 24, 2013
(Updated)
Several days ago I noticed that Paypal was showing infected at Google’s Safe Browsing tool page.
Looking again I see that the problems seem to be getting worse. The amount of malware detected is up since the last time they visited.
What happened when Google visited this site?
Of the 3662 pages we tested on the site over the past 90 days, 48 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-04-22, and the last time suspicious content was found on this site was on 2013-04-05.
Malicious software includes 48 trojan(s), 36 exploit(s).
November 29, 2010
Over last weekend, November 28, 2010, a rather large ebaY powerseller, pugster888 a TRS (Top Rated Seller) had their account taken over and anywhere between around 57,000 to 70,000 (or more) fake high-end listings uploaded rapidly. The listings all contained an image of text urging would-be purchasers to contact the ‘seller’ at an off ebaY email address, a familiar MO.
(click the images for full page, reduced size views)
Above: There were many many more listings than this. I did not have time to sit around and watch.
Below: One of the dozens if not hundreds of listings for this particular piano.
For those not following along, this sort of thing has happened too many times to recount them all here. Literally for years now. Yet ebaY refers to these events as isolated cases.
Of course the first things which jump right out regarding this time is the stature, feedback level, and longevity of the seller/victim,
Screencaps here show the rate at which these listings were pumped in. Note the amounts of listings inserted per minute, as the search terms are ‘newly listed’, and the search modifiers set to not show the seller’s legit items.
Note the time on the above screencap showing 56,985 fake listings. (7:23 AM)
Here is the scene at 4:51 AM, with 27,833 results/listings.
That’s 29,152 fake listings in high fraud rate categories in about 2 1/2 hours time.
Legit sellers do not have that ability with such items. There is a delay of several hours before items become visible on the site when listing items in certain ‘high fraud’ categories. ebaY at one time touted them as “fraud filters“, the magical new weapon to building site trust and platform safety after our friend Vladuz reamed ebay. That is indicative of “hacking” as opposed to simple “account take over” (ATO) or ‘phishing’.
I’m curious to know whether ebaY would blame them for giving away their passwords? Or accuse pugster888 of falling victim to phishing attacks and getting their database hacked, as ebaY and it’s employees have?
Would the seller/victim admit they fell for a phishing or spearphishing ploy? Is this just another firm indication that the troubles at ebaY are much deeper and darker than most are aware?
I never examined the listings for the presence of any malware or dubious scripting etc, but it would be a reasonable assumption they may have also carried an additional payload of some type. The hackers everywhere are more crafty and sophisticated than ever. The ‘blended threat‘ is more commonplace.
True to their Orwellian form, ebaY’s censors slithered out, and then back into the memory hole, taking with them ebaY forums threads regarding the event. Note the number 70K mentioned.
Finally, there were more victims with very similar listings: shakyahandicraft and 290401 (another TRS) to name a couple.
screencap of 290401 item
screencap of shakyahandicraft seller list
Over at the CAPP forum as well as on youtube, I have a more recent scams/hacking/hijackings and victims documented.
Regardless of whatever ebaY’s Minitrue department may claim, these events and worse are very commonplace.
Does ebaY seem like a safe, trustworthy, and/or honest platform to buy, sell or surf on?
April 6, 2010
However, as shown in the video, this is nothing all that new…
For best results you’ll want to go to youtube or expand to fullscreen.
On April 1st, 2010 Red Condor Security blog published an alert regarding a phishing attack on ebaY, said to be hosting trojans and/or other executable malware on ebaY’s own servers.
Cappnonymous demonstrates the attack, and/or variant(s) thereof, has been ongoing since at least November 2009, and/or through more than one vector.
Pages/threads seen here:
Phishing Attack Posing as eBay Security Alert
http://tinyurl.com/yczjbtd
http://preview.tinyurl.com/yczjbtd
Re: ebay procedural warning – Excuse Me ???
http://tinyurl.com/yc3o8h6
http://preview.tinyurl.com/yc3o8h6
Malware showing up in eBay today JS:Pdfka-OE
http://tinyurl.com/y89oc5c
http://preview.tinyurl.com/y89oc5c
Re: trojans on ebay site…beware
http://tinyurl.com/yeoyplh
http://preview.tinyurl.com/yeoyplh
Virustotal.com (live page) results for :
eShield.exe
http://tinyurl.com/ybd87xv
http://preview.tinyurl.com/ybd87xv
screencapture:
AboutMe page used to host malicious download link
http://tinyurl.com/yj89m2q
http://preview.tinyurl.com/yj89m2q
screencapture:
Properties of malicious/compromised AboutMe page
http://tinyurl.com/yfpzqek
http://preview.tinyurl.com/yfpzqek
screencapture:
Virustotal results for :
eShield.exe
from 11.08.2009 @ 15.22.23
http://tinyurl.com/ylcqkof
http://preview.tinyurl.com/ylcqkof
Update, 05.26.2010
In case no one was paying attention, the file JS Pdfka-OE you see mentioned in the video as being a false positive by a pink has turned out to be a genuine exploit from the looks of things.
It now shows as malicious on half the major virus scanners via virustotal.com. So anyone who took eb’s advice got owned.
Still, no announcement, no retraction, update, clarification… no nothing from eb?
I wonder why that is? After all, it’s only literally millions of people’s lives potentially ruined?
I can’t stress this enough, the file was and likely still is being hosted on ebay very own servers, along with the other ‘security shield’, which is still being found on about me pages.
Uploaded with ImageShack.us
Cappnonymous 
